ars

形式

機能説明

Audit Remote Server (ARS) is the counterpart of the audit_remote(5) plugin. Data
sent by the plugin can be captured, processed, and stored by the
server according to the its configuration.

ARS is delivered as a disabled Solaris audit component. It is necessary
to configure ARS before it can be used to process a remote
audit trail. ARS configuration is twofold:

the underlying security mechanisms used for secure audit data transport has to be configured (see audit_remote(5));

the audit remote subsystem has to be configured.

To observe and configure the ARS, use the auditconfig(1M)-setremote and -getremote
options. The configuration is divided between the configuration of server and group. The
server configuration allows for changing common ARS parameters, while the group keyword
allows configuration of connection groups, the sets of hosts sharing the same local
storage parameters.

Server configuration attributes

listen_address

The address the server listens on. An empty listen_address attribute defaults to listen on all local addresses.

listen_port

The local listening port; 0 defaults to 16162, the port associated with the “solaris-audit” Internet service name. See services(4).

login_grace_time

The server disconnects after login grace time (in seconds) if the connection has not been successfully established; 0 defaults to no limit.

max_startups

The number of concurrent unauthenticated connections to the server at which the server starts refusing new connections. The value might be specified in begin:rate:full format to allow random early drop mode, for example 10:30:60, meaning that ARS would refuse connection attempts with a probability of rate/100 (30% in our example) if there are currently 10 (from the start field) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60 in our example).

The maximum size of each of the stored audit trail files; 0 defaults to no limit.

binfile_minfree

The minimum free space on file system with binfile_dir before the audit_binfile informs the administrator via audit_warn(1M); 0 defaults to no limit.

hosts

The hosts in the given connection group allowed to send audit data to server. A comma is a delimiter in case of multiple host entries. If hosts is empty, such connection group is called a wild card connection group. If a new connection cannot be classified to any other (non-wild card) connection group and there is an active wild card connection group configured, the new connection is classified to that connection group. Only one active wild card connection group can be configured.

使用例

例 1 Audit Remote Server configuration

The following example describes steps to configure audit remote server to listen
on specific address. One wild card and one non-wild card connection group
will be created. The non-wild card connection group configuration will address remote
audit data from tic.cz.example.com and tac.us.example.com, the trail will be stored in
/var/audit/remote.